Industrial Defender advances cybersecurity visibility, maturity across OT sector with data-driven approach

Having collected data from operational environments and gained visibility into networks, the time has come for the industrial sector to up the ante and use this data to strengthen its cybersecurity position in the wake of rising threats. Industrial Defender enables the industrial sector to cut through the noise and go beyond asset visibility so that organizations can use a mature, data-driven approach to defend themselves against cyberattacks.

Established in 2006, Industrial Defender is ‘the first OT cybersecurity solution in the market’, and they protect some of the largest critical infrastructure companies in the world. The Foxborough, Massachusetts-based company takes organizations past basic network visibility and provides a deeper view of what software is installed, how critical a device is to a process, which users can access those endpoints, and who is communicating on what ports. This data helps organizations better understand where their risk lies and what mitigation plans should look like.

Peter Lund, the company’s chief technology officer (CTO), had an exclusive interview with Jonathon Gordon, directing analyst at Takepoint Research, where they discussed where the OT space needs to head next and what steps organizations are taking to mature their cybersecurity programs. In addition, they also examine how the data collected by Industrial Defender empowers organizations to make better decisions about their cybersecurity defenses.

Looking at visibility as ‘table-stakes’ with organizations increasingly wanting to make this actionable within the OT context, Lund says that visibility needs to be part of a larger picture.

“Everyone likely has some sort of visibility out there, right? Lots of great solutions that can show you the real basics about your assets,” according to Lund. “It gives teams insight into who’s talking to who, maybe some bad behaviors that your network is doing, but it all comes down to actionable intelligence, like understanding your attack paths or your vulnerabilities, things that can be leveraged as an attack surface in an OT environment,” he added.

Lund added that “you need more than basic visibility to really change your posture. It’s great that you’re watching the network. It’s great that you can see the bad guys walk in,

and you can see what systems they access and change. But, if you’re watching them walk in, well, you’ve already failed, right? You need to up your defenses. You need to understand – is this an edge firewall? Did someone accidentally change or put some bad rules on it? Did someone use non-complex credentials?” he added.

Using contextual data to prioritize mitigations

Citing an example, Lund said that digging a bit deeper into the configuration of devices such as HMIs is one way to take your cyber defense program to the next level. “If you can compromise the HMI, then you can make very destructive changes. To better defend yourself, you need to dig a bit deeper and understand where your vulnerabilities are and then what the reasonable mitigations are,” he added.

“We all know you can’t just up and patch things or make changes in OT, like in IT, but understanding your exposure and then talking about quality mitigation is an important part of the equation. This could mean simply having the understanding that a vulnerability doesn’t apply because you aren’t leveraging that feature or that function of the product,” according to Lund. “It might be a situation where you’ve got a very robust set of features and a control system able to speak multiple protocols and take inputs and outputs from lots of things. When vendors write vulnerabilities, they just write it against the system as a whole or firmware as a whole, and oftentimes delete bits in there,” he added.

Organizations “need to get to that next level of detail to really know their security posture, because without it you’ll end up with an ocean of vulnerabilities that becomes unmanageable,” Lund said. “Passive monitoring brought us lots of interesting alerts that oftentimes overwhelmed the SOC with OT data out of context. Now we’ve got to dig into what those alerts really mean and peel the onion back a bit on that data,” he added.

Using visibility to understand risk

Transitioning from the wave of visibility that led to a lot of noise, often leaving organizations unsure about how to deal with it or make sense of it, Industrial Defender focuses on building context to steer the market beyond basic security alerts. The next stage of the journey should focus on how to do more with less and which high-value tasks they should be spending their time on. The aim is to filter the noise by looking at what will impact the organization’s security posture, and decide on practical steps to take.

“Visibility gives you a certain understanding of your risk. You at least know the size of the problem, you know how many things you have, you know likely how they’re spread out, how they communicate,” Lund said. “That becomes the feeder of what your current posture is. When you dig in deeper on how to reduce risk, you need to understand what holes do I need to close? What communications paths are endpoints using? There could be a full-blown operating system behind some of them. For example, a visibility tool told me it was Windows, but it couldn’t identify if it was Windows 10 or 7, or Windows XP – like lots of older control systems still run,” he added.

“That’s where you really need to dig in and take a deeper look at where your risk is. Oftentimes, you can even use a lot of the data you already have in the environment,” Lund said.

“One nice thing about our solution when it comes to vulnerability and risk is we are open,” according to Lund. “You don’t have to use our data collection framework to get those answers. We’ll take in data generated by network visibility sensors, generated by a customer spreadsheet. Let’s say you’re at a very low maturity level and you’re still doing physical walk-downs once a month, once a year, that data can be sent to us.”

“We put that data through a natural language processing machine that makes it look as if it was collected in an automated repeatable way,” Lund said. “So that when you receive it, we can put it through the normalization that we would [put] our own data from collectors and sensors,” he added.

Addressing the need for different handling of data in OT environments

“That’s a big opportunity, at least for us, in the market as a whole. Everyone has their preference on how they monitor their assets,” Lund said. “Some people are wholly passive, some are okay with walk-downs, some are okay with just putting traditional IT tools right on things. You still need something to do that next layer of maturity and risk analysis out of all that raw data,” he added.

“OT can generate a tremendous amount of data, and its data that at face value, the SOC likely doesn’t fully understand or might understand it in an IT way and want to apply things like SOAR with the typical blocking or isolation or bumping up an asset offline”, Lund said. “Whereas in OT, you have to think a bit differently. You have to understand how critical an asset is to a process before you make a decision,” he added.

“When you layer on that next-level understanding of your assets with a solution like ours, you can not only pass those network visibility bits up to the SOC, but you can also talk about the vulnerabilities that have been curated, the ones that don’t matter, the ones that apply,” Lund said. “Then you can even pull in things like who’s the asset owner, where does this thing sit in the Purdue level, is this up at level one, level two, is it up higher? Is it in the DMZ? Is it public internet-facing? Is it one we really need to worry about, or is this a disconnected asset that using serial and most likely has a very, very small attack surface and path? So someone could potentially use, a Log4j exploit on it, but it’s not publicly facing the internet. It doesn’t share data with anything,” he added.

“Certainly, if someone walks in and breaks the perimeter and fence and opens the door somehow, now you have much bigger problems than a Log4j vulnerability on a PLC that generally no one knows is out there”, Lund said. “We have to be smarter about looking at vulnerabilities and comparing them against the real-world scenarios of how these devices are being used,” he added.

Turning analytics into relevant action in OT cybersecurity market

The analytics derived from higher fidelity data can be used to identify potential cyber risks that could impact business continuity.

“Our risk framework is very, very granular and configurable so that you can decide, what types of vulnerabilities matter on what types of assets,” Lund said. “So you can cut out some of the noise before it heads to the SOC,” he added.

“It also enables the folks in the SOC to have a more meaningful conversation when they see a vulnerability, then they see some security events, maybe based on a network view, or an endpoint view that are typical tactics and techniques for exploiting it,” Lund said. “They can then call the plant manager or the operations team, who is responsible for mitigating that vulnerability, and say, ‘Hey, we’re seeing activity against vulnerabilities that you guys are known to have. I know we had talked about putting a mitigation plan in place next week, or in six months, or the next patch cycle, but something is actually happening now,’” he added.

“Those teams can then reconfigure the device, figure out if it’s compromised, start to do the incident response much faster and with more contextual information, as opposed to starting from zero in a scenario where they don’t know where the device is or who is using it,” Lund said. “With that type of context, you can quickly take your SOC to that next level,” he added.

“As we help companies mature, they run through these exercises a few times, and now they can start to create a playbook that says, okay, if the asset’s criticality to the process is low, and we see a critical vulnerability on it, it’s likely an asset we can take offline temporarily,” Lund said. “Getting that higher-level context out of the data, understanding what it means, and then building security automation around it that both IT and OT can agree on should be the goal here,” he added.

Crafting playbooks

Playbooks are something that SOC analysts talk about all the time while working on developing best practices, delivering a blueprint to remediate issues, and shortening the time to respond. Sometimes, these playbooks are not just for the SOC, but across IT, across OT, and developed on the go.

“I call them ‘outside-in playbooks’ where you get some intelligence from CISO or threat intel, and the SOC gets it and says people are targeting Siemens relays or ABB HMIs,” Lund said. “Normally everyone then runs around trying to figure out if you have those things. Well, now a SOC analyst can quickly write a query in their SIEM or whatever they’re using for a central asset inventory and say, do I have Siemens XYZ? Do I have ABB XYZ? Then you discover that Siemens XYZ is in plant one and two, and ABB XYZ is in plant four. Industrial Defender can help them figure out where those endpoints are and shore up defenses around them, as opposed to ten phone calls to asset owners that are more worried about keeping production online than they are about starting a walk down. So, the SOC gets faster answers,” he added.

The mature approach offered by Industrial Defender provides a strategic perspective instead of a tactical attitude. This type of bottom-up playbook enables SOC analysts to respond to issues faster, by combining data on the assets and business processes with threat intelligence from outside or other sources.

With the right data in the right spot, “different teams and different owners in the organizations can use it for many applications, including overlaying compliance,” Lund said. “Much of this data has a compliance aspect, such as do we meet the minimum security standards that have been put in place? Are we rotating credentials? Are we making sure we’re not using insecure protocols wherever possible? Those are the types of questions that can be answered,” he added.

Industrial Defender is conducting its ‘2021/22 State of OT Cybersecurity Survey’ that asks respondents a host of questions, including if, in 2022, they plan to complete a cybersecurity/risk assessment and which area of cybersecurity they plan to invest most heavily in for OT environments. The survey also examines the biggest barriers to implementing OT security solutions, the primary method used for OT asset data collection, and if they plan to use an active OT asset inventory collection solution.

Peter Lund

Peter has a strong technical and business background with over 15 years of experience working with and for IT and OT product companies. As the VP of Products - OT Security at OPSWAT, he is responsible for overseeing and managing OPSWAT's growing OT and Industrial Cybersecurity business unit. In addition to his product management role, he utilizes a wide range of experience in application development, systems engineering and marketing. Prior to OPSWAT, Peter was instrumental in bringing new features to the market for Industrial Defender serving as the head of product management and CTO and held roles at Dell (EMC), Schneider Electric and KVH Industries. Peter studied Electrical and Computer Systems Engineering at Rensselaer Polytechnic Institute.